Re: Review of new lintian tags

[Bastien ROUCARIES <roucaries.bastien@gmail.com>]

On Mon, Jan 6, 2014 at 8:11 PM, Bastien ROUCARIES
<roucaries.bastien@gmail.com> wrote:
> Le 6 janv. 2014 00:34, "Justin B Rye" <justin.byam.rye@gmail.com> a écrit :
>>
>> Bastien ROUCARIES wrote:
>> > Could you review and improve the new lintian tags ?

Patch after first review

Sorry if I miss some of your remarks.

Bastien

diff --git a/checks/changelog-file.desc b/checks/changelog-file.desc
index 5cfd484..2c6607f 100644
--- a/checks/changelog-file.desc
+++ b/checks/changelog-file.desc
@@ -342,6 +342,13 @@ Info: The latest entries in the Debian changelog file and NEWS.Debian file
  changelog information is canonical and the NEWS.Debian information is
  ignored, but it may be confusing to users to have them be different.
 
+Tag: bad-intended-distibution
+Severity: normal
+Certainty: wild-guess
+Experimental: yes
+Info: The last changelog entry is intended to be uploaded
+ to a particular distribution, whereas the changelog said otherwise.
+
 Tag: version-refers-to-distribution
 Severity: minor
 Certainty: certain
diff --git a/checks/cruft.desc b/checks/cruft.desc
index c0e4e32..ca916c8 100644
--- a/checks/cruft.desc
+++ b/checks/cruft.desc
@@ -3,7 +3,7 @@ Author: Sean 'Shaleh' Perry <shaleh@debian.org>
 Abbrev: deb
 Type: source
 Info: This looks for cruft in Debian packaging or upstream source
-Needs-Info: unpacked, debfiles, diffstat, file-info, index
+Needs-Info: unpacked, debfiles, diffstat, file-info, index, md5sums
 
 Tag: native-package-with-dash-version
 Severity: normal
@@ -326,7 +326,7 @@ Info: The Debian diff or native package contains a file ending in
 Tag: diff-contains-substvars
 Severity: normal
 Certainty: certain
-Info: Lintian found a substvars file in the Debian diff for this source 
+Info: Lintian found a substvars file in the Debian diff for this source
  package. The debian/substvars (or debian/<tt>package</tt>.substvars) file
  is usually generated and modified dynamically by debian/rules targets, in
  which case it must be removed by the clean target.
@@ -432,6 +432,62 @@ Info: The source tarball contains a prebuilt ELF object.  They are usually
  directory first.  You may want to report this as an upstream bug, in case
  there is no sign that this was intended.
 
+Tag: source-contains-prebuilt-flash-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt file in the Shockwave Flash (SWF)
+ or Flash Video (FLV) format.  These are often included by mistake when
+ developers generate a tarball without cleaning the source directory
+ first.  An exception is simple video files, which are their own
+ source.
+ .
+ If there is no sign this was intended, consider reporting it as an
+ upstream bug.
+ .
+ If the Flash file is not meant to be modified directly, please make
+ sure the package includes the source for the file and that the
+ packaging rebuilds it.
+
+Tag: source-contains-prebuilt-flash-project
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt flash project.  They are usually
+ left by mistake when generating the tarball by not cleaning the source
+ directory first.  You may want to report this as an upstream bug, in case
+ there is no sign that this was intended.
+
+Tag: source-contains-prebuilt-java-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt Java class file.  These are often
+ included by mistake when developers generate a tarball without cleaning
+ the source directory first.  If there is no sign this was intended,
+ consider reporting it as an upstream bug.
+
+Tag: source-contains-prebuilt-javascript-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt javascript object.  They are
+ usually left by mistake when generating the tarball by not cleaning the
+ source directory first.  You may want to report this as an upstream bug,
+ in case there is no sign that this was intended.
+
+Tag: source-contains-prebuilt-python-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt python object.  They are
+ usually left by mistake when generating the tarball by not cleaning the
+ source directory first.  You may want to report this as an upstream bug,
+ in case there is no sign that this was intended.
+
+Tag: source-contains-prebuilt-silverlight-object
+Severity: serious
+Certainty: possible
+Info: The source tarball contains a prebuilt Silverlight control.
+ Unfortunately, the tools used to build such files have non-free
+ dependencies and are not present in Debian.  This file must be
+ completely removed.
+
 Tag: source-contains-prebuilt-windows-binary
 Severity: pedantic
 Certainty: certain
@@ -502,6 +558,21 @@ Info: The given source file is licensed under GFDL with invariant
 Ref: http://wiki.debian.org/qa.debian.org/gfdlinvariant,
  http://www.debian.org/vote/2006/vote_001
 
+Tag: license-problem-non-free-rfc
+Severity: serious
+Certainty: possible
+Info: The given source file is licensed under the newer RFC
+ license.
+ .
+ The majority of IETF documents, such as RFCs, are not licensed
+ under DFSG-free terms, and should thus not be included in Debian's main.
+ .
+ If this file is multi-licensed, please override the tag.
+ .
+ If this is a false-positive, please report a bug against Lintian.
+Ref: https://wiki.debian.org/NonFreeIETFDocuments
+
+
 Tag: license-problem-gfdl-invariants-empty
 Severity: minor
 Certainty: possible
@@ -514,6 +585,51 @@ Info: The given source file is licensed under GFDL, but without any
 Ref: http://wiki.debian.org/qa.debian.org/gfdlinvariant,
  http://www.debian.org/vote/2006/vote_001
 
+Tag: license-problem-nvidia-intellectual
+Severity: serious
+Certainty: possible
+Info: The following source files include material under a
+ non-distributable license from Nvidia. Therefore, it is
+ not even possible to ship this in non-free.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the FTP-masters to remove the package.
+ .
+ If the package has been uploaded to Debian before, please
+ remember to also notify snapshot.debian.org about this
+ package containing a non-distributable file.
+ .
+ If this is a false-positive, please report a bug against Lintian.
+Ref: http://bugs.debian.org/724930#27
+
+Tag: license-problem-md5sum-non-distributable-file
+Severity: serious
+Certainty: certain
+Info:  The following file is not distributable even in the non-free
+ archive.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the FTP-masters to remove the package.
+ .
+ If the package has been uploaded to Debian before, please
+ remember to also notify snapshot.debian.org about this
+ package containing a non-distributable file.
+ .
+ If this is a false-positive, please report a bug against Lintian.
+
+Tag: license-problem-md5sum-non-free-file
+Severity: serious
+Certainty: certain
+Info: The following file is not suitable for main or contrib.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the FTP-masters to remove the package.
+ .
+ You could also split this package and move this file into the
+ non-free archive.
+ .
+ If this is a false-positive, please report a bug against Lintian.
+
 Tag: source-contains-unsafe-symlink
 Severity: serious
 Certainty: possible
diff --git a/checks/fields.desc b/checks/fields.desc
index 8db6465..d55c11a 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -390,6 +390,20 @@ Info: This non-native package lacks a <tt>Homepage</tt> field.  If the
  field to <tt>debian/control</tt>.
 Ref: policy 5.6.23
 
+Tag: homepage-in-binary-package
+Severity: wishlist
+Certainty: possible
+Info: This non-native source package produces at least one binary package
+ with a <tt>Homepage</tt> field.  However, the source package itself has
+ no <tt>Homepage</tt> field.  Unfortunately, this results in some
+ source-based tools/services (e.g. the PTS) not linking to the homepage
+ of the upstream project.
+ .
+ If you move the <tt>Homepage</tt> field to the source paragraph in
+ <tt>debian/control</tt> then all binary packages from this source
+ will inherit the value by default.
+Ref: policy 5.6.23
+
 Tag: homepage-for-cpan-package-contains-version
 Severity: minor
 Certainty: certain
@@ -573,6 +587,13 @@ Info: The package declares a build-depends on an essential package, e.g. dpkg,
  is if you need a particular version of that package, in which case the
  version should be given in the dependency.
 
+Tag: build-depends-on-an-obsolete-java-package
+Severity: normal
+Certainty: certain
+Ref: java-policy 2.2
+Info: The package build-depends on an obsolete Java dependency.
+ It should build-depend on default-jdk instead.
+
 Tag: build-depends-on-non-build-package
 Severity: important
 Certainty: certain
@@ -974,13 +995,15 @@ Info: This package is also provided by one of the Perl core packages
 Ref: policy 7.5
 
 Tag: vcs-field-uses-not-recommended-uri-format
-Severity: minor
+Severity: normal
 Certainty: possible
-Info: The VCS-* field uses an URI which doesn't match the recommended
+Info: The VCS-* field uses a URI which doesn't match the recommended
  format, but still looks valid. Examples for not recommended URI formats
  are protocols that require authentication (like SSH). Instead where
- possible you should provide an URI that is accessible for everyone
+ possible you should provide a URI that is accessible for everyone
  without authentication.
+ .
+ This renders debcheckout(1) unusable in these cases.
 
 Tag: vcs-field-uses-unknown-uri-format
 Severity: normal
diff --git a/checks/files.desc b/checks/files.desc
index b98f414..58f8411 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -36,7 +36,7 @@ Info: This file is reserved by a specific package.  Please email the
 Tag: FSSTND-dir-in-usr
 Severity: serious
 Certainty: certain
-Info: As of policy version 3.0.0.0, Debian no longer follows the FSSTND.  
+Info: As of policy version 3.0.0.0, Debian no longer follows the FSSTND.
  .
  Instead, the Filesystem Hierarchy Standard (FHS), version 2.3, is
  used. You can find it in /usr/share/doc/debian-policy/fhs/ .
@@ -45,7 +45,7 @@ Ref: policy 9.1.1
 Tag: FSSTND-dir-in-var
 Severity: serious
 Certainty: certain
-Info: As of policy version 3.0.0.0, Debian no longer follows the FSSTND.  
+Info: As of policy version 3.0.0.0, Debian no longer follows the FSSTND.
  .
  Instead, the Filesystem Hierarchy Standard (FHS), version 2.3, is
  used. You can find it in /usr/share/doc/debian-policy/fhs/ .
@@ -70,9 +70,15 @@ Tag: package-installs-into-etc-rc.boot
 Severity: serious
 Certainty: certain
 Info: The package installs files in the <tt>/etc/rc.boot</tt> directory,
- which is obsolete.  See rc.boot(5) for details.
+ which is obsolete.
 Ref: policy 9.3.4
 
+Tag: package-install-into-obsolete-dir
+Severity: normal
+Certainty: certain
+Info: The package installs files to an obsolete directory.
+ Please use a newer path.
+
 Tag: non-standard-file-permissions-for-etc-init.d-script
 Severity: important
 Certainty: certain
@@ -778,7 +784,7 @@ Severity: normal
 Certainty: certain
 Ref: policy 8.4
 Info: Ada Library Information (*.ali) files are required to be read-only
- (mode 0444) by GNAT. 
+ (mode 0444) by GNAT.
  .
  If at least one user can write the *.ali file, GNAT considers whether
  or not to recompile the corresponding source file.  Such recompilation
@@ -791,8 +797,8 @@ Severity: normal
 Certainty: certain
 Info: package contains a README.(platform) file that contains instructions
  specific to a platform or distribution other than Debian and thus can
- most likely be removed.  If it contains information that pertains to 
- Debian, please consider renaming it, or including it in an already 
+ most likely be removed.  If it contains information that pertains to
+ Debian, please consider renaming it, or including it in an already
  existing README file.
 
 Tag: desktop-file-in-wrong-dir
@@ -922,6 +928,110 @@ Info: This package contains an embedded copy of JavaScript libraries
  package and symlink the library into the appropriate location.
 Ref: policy 4.13
 
+Tag: privacy-breach-generic
+Severity: important
+Certainty: wild-guess
+Experimental: yes
+Info: This package creates a potential privacy breach by fetching data
+ from an external website at runtime. Please remove these scripts or
+ external HTML resources.
+
+Tag: privacy-breach-google-adsense
+Severity: serious
+Certainty: possible
+Info: This package creates a privacy breach by using Google AdSense.
+ Google AdSense is a service run by Google that allows publishers
+ of websites to automatically serve advertisements. Unfortunately, it
+ requires tracking and breaching the privacy of web users.
+ .
+ This tag can also indicate the use of the related obsolete privacy
+ breaching software, Urchin WebAnalytics.
+ .
+ Note that using Google AdSense in a local copy of a page is a violation of
+ the Google AdSense terms of use. This violation renders this package not
+ distributable in Debian, and is thus a serious bug.
+
+Tag: privacy-breach-donation
+Severity: serious
+Certainty: possible
+Ref: https://wiki.debian.org/UpstreamMetadata
+Info: This package create a potential privacy breach by fetching data
+ from a donation website at runtime.
+ .
+ Please remove this privacy problem and add a note to the
+ debian/upstream file using the donation field.
+
+Tag: privacy-breach-logo
+Severity: serious
+Certainty: possible
+Info: This package creates a potential privacy breach by fetching a
+ logo at runtime.
+ .
+ Before using a local copy you should check that the logo is suitable
+ for main. Ask debian-legal for advice.
+
+Tag: privacy-breach-facebook
+Severity: serious
+Certainty: possible
+Info:  This package creates a privacy breach by exchanging data with
+ Facebook at runtime via plugins such as "Share" or "Like" buttons.
+ .
+ Please remove these scripts or frames.
+
+Tag: privacy-breach-google-cse
+Severity: serious
+Certainty: possible
+Info: This package creates a potential privacy breach by fetching
+ data from Google at runtime, and may feed private data to Google via
+ Custom Search Engine queries.
+ .
+ Please remove these scripts.
+
+Tag: privacy-breach-piwik
+Severity: serious
+Certainty: possible
+Info: This package creates a privacy breach by using Piwik.
+ Piwik is a free and open source web analytics application, designed to
+ allow publishers of websites to track visitors.
+ .
+ Even though Piwik is free and respects the "Do Not Track" browser
+ option, it is nevertheless a breach of the privacy of web users.
+
+Tag: privacy-breach-statistics-website
+Severity: important
+Certainty: possible
+Info: This package creates a privacy breach by fetching data from
+ an external website in order to compile visitor statistics.
+ .
+ Please remove these scripts.
+ .
+ Please ask upstream to use the free software web analytics engine
+ Piwik, which respects the "Do Not Track" browser option.
+ .
+ This tag covers the following websites:
+ * cruel-carlota.pagodabox.com
+ * linkexchange.com (defunct)
+ * nedstatbasic.net
+ * statcounter.com
+ * sitemeter.com
+ * webstats.motigo.com
+
+Tag: privacy-breach-w3c-valid-html
+Severity: serious
+Certainty: possible
+Ref: http://validator.w3.org/docs/help.html#icon,
+     http://www.w3.org/Consortium/Legal/logo-usage-20000308
+Info: This package creates a potential privacy breach by fetching W3C
+ validation icons.
+ .
+ These badges may be displayed to tell readers that care has been
+ taken to make a page compliant with W3C standards. Unfortunately,
+ downloading the image from www.w3.org might expose the reader's IP
+ address to potential tracking.
+ .
+ Note that these icons are non-free and must not be copied into the
+ package. You could safely delete this W3C validation badge.
+
 Tag: embedded-feedparser-library
 Severity: normal
 Certainty: certain
@@ -1040,9 +1150,8 @@ Severity: important
 Certainty: certain
 Ref: http://lists.debian.org/debian-devel/2009/03/msg00119.html
 Info: Files in <tt>/etc/modprobe.d</tt> should use filenames ending in
- <tt>.conf</tt>.  modprobe currently warns about files which do not match
- this convention and at some point in the future the files will no longer
- be processed.
+ <tt>.conf</tt>. modprobe silently ignores all files which do not match
+ this convention.
  .
  If the file is an example containing only comments, consider installing
  it in another location as files in <tt>/etc/modprobe.d</tt> are
@@ -1300,9 +1409,13 @@ Info: The gzip file contains a timestamp that will differ between
 Tag: pkg-config-multi-arch-wrong-dir
 Severity: important
 Certainty: possible
-Info: The arch all pkg-config file contains reference to an multi-arch path.
+Info: The arch all pkg-config file contains a reference to a multi-arch path.
  .
  This can be usually be fixed by moving this file to a multi-arch path.
+ .
+ Another likely cause is using debhelper 9 or newer (thus enabling
+ multi-arch paths by default) on a package without multi-arch support.
+ The usual cure in this case is to update it for multi-arch.
 
 Tag: dir-or-file-in-home
 Severity: serious
diff --git a/checks/rules.desc b/checks/rules.desc
index 2352c88..e1a1931 100644
--- a/checks/rules.desc
+++ b/checks/rules.desc
@@ -77,7 +77,7 @@ Info: The <tt>debian/rules</tt> file for this package appears to
  include a Makefile that has been deprecated.  Please refer to the
  documentation of the providing package for a replacement (if any).
 
-Tag: debian-rules-uses-pwd
+Tag: debian-rules-should-not-use-pwd
 Severity: normal
 Certainty: certain
 Info: The <tt>debian/rules</tt> file for this package appears to use the
@@ -110,14 +110,14 @@ Info: A rule in the <tt>debian/rules</tt> file for this package calls the
  so that other error messages from the clean or distclean rule will still
  be caught (or just remove the "-" if the package uses a static makefile).
 
-Tag: debian-rules-uses-DEB_BUILD_OPTS
+Tag: debian-rules-should-not-use-DEB_BUILD_OPTS
 Severity: normal
 Certainty: certain
 Info: The standard environment variable for build options is
  DEB_BUILD_OPTIONS.  Usually, referring to DEB_BUILD_OPTS is a mistake and
  DEB_BUILD_OPTIONS was intended instead.
 
-Tag: debian-rules-automatically-updates-control
+Tag: debian-rules-should-not-automatically-update-control
 Severity: serious
 Certainty: possible
 Info: DEB_AUTO_UPDATE_DEBIAN_CONTROL appears to be set to <tt>yes</tt> in
@@ -210,7 +210,7 @@ Info: The package appears to use an <tt>ExtUtils::MakeMaker</tt>
  should be replaced with
    make install DESTDIR=$(TMP)             # RIGHT
 
-Tag: debian-rules-uses-or-modifies-user-only-variable
+Tag: debian-rules-should-not-use-or-modify-user-only-variable
 Severity: normal
 Certainty: possible
 Ref: #631786
@@ -222,6 +222,21 @@ Info: The rules files appear to be reading or modifying a variable not
  can be used by users, who wants to re-compile debian packages with
  special (or non-standard) build flags.
 
+Tag: debian-rules-should-not-use-underscore-variable
+Severity: normal
+Certainty: possible
+Ref: policy 4.9
+Info: The rules file use the make variable $(_).
+ .
+ According to Policy 4.9, <q>invoking either of <tt>make -f debian/rules
+ &lt;args&hellip;&gt;</tt> or <tt>./debian/rules
+ &lt;args&hellip;&gt;</b>' must result in identical behavior.</q>
+ One way to inadvertently violate this policy is to use the $_ variable.
+ .
+ If the rules file uses $(dir $(_)) to discover the directory containing
+ the source package (presumably in order to implement the get-orig-source
+ target), please replace it by $(dir $(firstword $(MAKEFILE_LIST))).
+
 Tag: package-would-benefit-from-build-arch-targets
 Severity: normal
 Certainty: certain
diff --git a/checks/scripts.desc b/checks/scripts.desc
index f8f30f6..2e9ba5d 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -359,7 +359,7 @@ Info: Maintainer scripts must not create device files directly.  They
  If <tt>mknod</tt> is being used to create a FIFO (named pipe), use
  <tt>mkfifo</tt> instead to avoid triggering this tag.
 
-Tag: start-stop-daemon-in-maintainer-script
+Tag: maintainer-script-should-not-use-start-stop-daemon
 Severity: normal
 Certainty: certain
 Info: The maintainer script seems to call <tt>start-stop-daemon</tt>
@@ -453,7 +453,7 @@ Info: This script calls update-xmlcatalog, which comes from the xml-core
  dh_installxmlcatalogs, add a dependency on ${misc:Depends} and
  dh_installxmlcatalogs will take care of this for you.
 
-Tag: update-alternatives-remove-called-in-postrm
+Tag: maintainer-script-should-not-use-update-alternatives-remove
 Severity: normal
 Certainty: certain
 Info: <tt>update-alternatives --remove &lt;alternative&gt; foo</tt> is
@@ -470,7 +470,19 @@ Info: <tt>update-alternatives --remove &lt;alternative&gt; foo</tt> is
  instead.
 Ref: policy F, update-alternatives(8)
 
-Tag: deprecated-chown-usage
+Tag: maintainer-script-should-not-use-update-alternatives-set
+Severity: normal
+Certainty: certain
+Info: The maintainer script calls <tt>update-alternatives --set
+ &lt;alternative&gt; foo</tt> or <tt>update-alternatives --config
+ &lt;alternative&gt;</tt> or <tt>update-alternatives --set-selections</tt>.
+ .
+ This makes it impossible to distinguish between an alternative that's
+ manually set because the user set it and one that's manually set because
+ the package set it.
+Ref: update-alternatives(8)
+
+Tag: maintainer-script-should-not-use-deprecated-chown-usage
 Severity: normal
 Certainty: certain
 Info: <tt>chown user.group</tt> is called in one of the maintainer
@@ -479,7 +491,7 @@ Info: <tt>chown user.group</tt> is called in one of the maintainer
  as a system uses the "." in user or group names.
 Ref: chown(1)
 
-Tag: maintainer-script-hides-init-failure
+Tag: maintainer-script-should-not-hide-init-failure
 Severity: normal
 Certainty: certain
 Info: This script calls invoke-rc.d to run an init script but then, if the
@@ -501,13 +513,13 @@ Info: This script apparently runs an init script directly rather than
  available.
 Ref: policy 9.3.3.2
 
-Tag: gconftool-used-in-maintainer-script
+Tag: maintainer-script-should-not-use-gconftool
 Severity: normal
 Certainty: possible
 Info: This script apparently runs gconftool or gconftool-2.  It should
  probably be calling gconf-schemas or update-gconf-defaults instead.
 
-Tag: fc-cache-used-in-maintainer-script
+Tag: maintainer-script-should-not-use-fc-cache
 Severity: normal
 Certainty: possible
 Info: This script apparently runs fc-cache.  Updating of the fontconfig
@@ -515,7 +527,7 @@ Info: This script apparently runs fc-cache.  Updating of the fontconfig
  from maintainer scripts is no longer necessary.
 
 Tag: install-info-used-in-maintainer-script
-Severity: normal
+Severity: serious
 Certainty: possible
 Info: This script apparently runs <tt>install-info</tt>.  Updating the
  <tt>/usr/share/info/dir</tt> file is now handled automatically by
@@ -525,7 +537,7 @@ Info: This script apparently runs <tt>install-info</tt>.  Updating the
  If debhelper generated the maintainer script fragment, rebuilding the
  package with debhelper 7.2.17 or later will fix this problem.
 
-Tag: maintainer-script-uses-dpkg-status-directly
+Tag: maintainer-script-should-not-use-dpkg-status-directly
 Severity: important
 Certainty: certain
 Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or
@@ -539,7 +551,7 @@ Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or
  instead.
 Ref: http://wiki.debian.org/DpkgConffileHandling
 
-Tag: maintainer-script-modifies-netbase-managed-file
+Tag: maintainer-script-should-not-modify-netbase-managed-file
 Severity: serious
 Certainty: certain
 Info: The maintainer script modifies at least one of the files
@@ -556,7 +568,7 @@ Info: The maintainer script modifies <tt>/etc/inetd.conf</tt> directly.
  <tt>update-inetd</tt> script or the <tt>DebianNet.pm</tt> Perl module.
 Ref: policy 11.2
 
-Tag: maintainer-script-modifies-ld-so-conf
+Tag: maintainer-script-should-not-modify-ld-so-conf
 Severity: important
 Certainty: possible
 Info: This package appears to modify <tt>/etc/ld.so.conf</tt> and does not
@@ -573,15 +585,35 @@ Info: This package appears to modify <tt>/etc/ld.so.conf</tt> and does not
  packages may cause random segfaults and difficult-to-debug problems
  instead of conflicts in the package manager.
 
-Tag: install-sgmlcatalog-deprecated
+Tag: maintainer-script-should-not-use-install-sgmlcatalog
+Severity: important
+Certainty: certain
+Info: The maintainer script apparently runs install-sgmlcatalog.
+ install-sgmlcatalog is deprecated and should only have been used
+ in postinst or prerm to remove the entries from earlier packages.
+ Given how long ago this transition was, consider removing it
+ entirely.
+
+Tag: maintainer-script-should-not-use-service
 Severity: important
 Certainty: certain
-Info: The maintainer script apparently runs install-sgmlcatalog with flags
- other than <tt>--quiet</tt> and <tt>--remove</tt> or in a maintainer
- script other than postinst or prerm.  install-sgmlcatalog is deprecated
- and should only be used in postinst or prerm to remove the entries from
- earlier packages.  Given how long ago this transition was, consider
- removing it entirely.
+Experimental: yes
+Info: The maintainer script apparently runs the service command.
+ This command is reserved for local
+ administrators and must never be used by a Debian package.
+
+Tag: maintainer-script-should-not-use-adduser-system-without-home
+Severity: serious
+Certainty: certain
+Info:  The maintainer script apparently runs 'adduser --system'
+ but hardcodes a path under '/home' for the '--home' option or
+ do not use the '--home' option.
+ .
+ The FHS says: <q>/home is a fairly standard concept, but it
+ is clearly a site-specific filesystem. The setup will differ
+ from host to host. Therefore, no program should rely on this
+ location.</q>
+Ref: fhs homeuserhomedirectories
 
 Tag: maintainer-script-empty
 Severity: minor
@@ -628,14 +660,14 @@ Info: The indicated program run in a maintainer script has a prepended
  workarounds in the developer's reference can be used.
 Ref: policy 6.1, devref 6.4
 
-Tag: ancient-dpkg-epoch-check
+Tag: maintainer-script-should-not-use-ancient-dpkg-epoch-check
 Severity: minor
 Certainty: certain
 Info: The package calls dpkg --assert-working-epoch in a maintainer
  script.  This check is obsolete and has always returned true since dpkg
  1.4.0.7, released 1997-01-25.
 
-Tag: ancient-dpkg-multi-conrep-check
+Tag: maintainer-script-should-not-use-ancient-dpkg-multi-conrep-check
 Severity: minor
 Certainty: certain
 Info: The package calls dpkg --assert-multi-conrep in a maintainer
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index f35ce8c..0ef6106 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -138,6 +138,36 @@ Info: The watch file specifies an upstream version number which matches
  upstream version.  Otherwise, DEHS and similar projects will think the
  package is out of date even when it may not be.
 
+Tag: debian-watch-may-check-gpg-signature
+Severity: pedantic
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file does not include a means to verify
+ the upstream tarball using cryptographic signature.
+ .
+ If upstream distributions provide such signatures, please
+ use the pgpsigurlmangle options in this watch file's
+ opts= to generate the URL of an upstream GPG signature.
+ This signature is automatically downloaded and verified
+ against a keyring stored in debian/upstream-signing-key.pgp
+ .
+ Of course, not all upstreams provide such signatures, but
+ you could request them as a way of verifying that no third
+ party has modified the code against their wishes after the
+ release. We have all heard of the phpmyadmin, unrealircd, or
+ proftpd security bugs (to mention only a few). This would at
+ least make it a lot harder for an attacker to get such code
+ to a wider audience via distributions like Debian.
+
+Tag: debian-watch-file-pubkey-file-is-missing
+Severity: important
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file verifies a cryptographic signature but
+ the upstream public key is missing.
+ .
+ Please add upstream public keys in debian/upstream-signing-key.pgp.
+
 Tag: debian-watch-contains-dh_make-template
 Severity: wishlist
 Certainty: certain